www.cleafy.com
Open in
urlscan Pro
34.253.101.190
Public Scan
URL:
https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly
Submission: On October 05 via api from MY — Scanned from DE
Submission: On October 05 via api from MY — Scanned from DE
Form analysis
1 forms found in the DOMPOST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/3993512/49715d06-021d-41f7-b4fa-d8074b24ac74
<form novalidate="" accept-charset="UTF-8" action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/3993512/49715d06-021d-41f7-b4fa-d8074b24ac74" enctype="multipart/form-data" id="hsForm_49715d06-021d-41f7-b4fa-d8074b24ac74"
method="POST" class="hs-form stacked hs-form-private hsForm_49715d06-021d-41f7-b4fa-d8074b24ac74 hs-form-49715d06-021d-41f7-b4fa-d8074b24ac74 hs-form-49715d06-021d-41f7-b4fa-d8074b24ac74_57f7a762-ef4f-48da-a4cc-5e3cf866c450"
data-form-id="49715d06-021d-41f7-b4fa-d8074b24ac74" data-portal-id="3993512" target="target_iframe_49715d06-021d-41f7-b4fa-d8074b24ac74" data-reactid=".hbspt-forms-0">
<fieldset class="form-columns-2" data-reactid=".hbspt-forms-0.1:$0">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$0.1:$firstname"><label id="label-firstname-49715d06-021d-41f7-b4fa-d8074b24ac74" class="" placeholder="Enter your Name"
for="firstname-49715d06-021d-41f7-b4fa-d8074b24ac74" data-reactid=".hbspt-forms-0.1:$0.1:$firstname.0"><span data-reactid=".hbspt-forms-0.1:$0.1:$firstname.0.0">Name</span><span class="hs-form-required"
data-reactid=".hbspt-forms-0.1:$0.1:$firstname.0.1">*</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$0.1:$firstname.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$0.1:$firstname.$firstname"><input id="firstname-49715d06-021d-41f7-b4fa-d8074b24ac74" class="hs-input" type="text" name="firstname" required="" value="" placeholder="" autocomplete="given-name"
data-reactid=".hbspt-forms-0.1:$0.1:$firstname.$firstname.0" inputmode="text"></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$0.1:$lastname"><label id="label-lastname-49715d06-021d-41f7-b4fa-d8074b24ac74" class="" placeholder="Enter your Surname"
for="lastname-49715d06-021d-41f7-b4fa-d8074b24ac74" data-reactid=".hbspt-forms-0.1:$0.1:$lastname.0"><span data-reactid=".hbspt-forms-0.1:$0.1:$lastname.0.0">Surname</span><span class="hs-form-required"
data-reactid=".hbspt-forms-0.1:$0.1:$lastname.0.1">*</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$0.1:$lastname.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$0.1:$lastname.$lastname"><input id="lastname-49715d06-021d-41f7-b4fa-d8074b24ac74" class="hs-input" type="text" name="lastname" required="" value="" placeholder="" autocomplete="family-name"
data-reactid=".hbspt-forms-0.1:$0.1:$lastname.$lastname.0" inputmode="text"></div>
</div>
</fieldset>
<fieldset class="form-columns-1" data-reactid=".hbspt-forms-0.1:$1">
<div class="hs-dependent-field" data-reactid=".hbspt-forms-0.1:$1.1:$company_role">
<div class="hs_company_role hs-company_role hs-fieldtype-select field hs-form-field" data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role"><label id="label-company_role-49715d06-021d-41f7-b4fa-d8074b24ac74" class=""
placeholder="Enter your Company Role" for="company_role-49715d06-021d-41f7-b4fa-d8074b24ac74" data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role.0"><span
data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role.0.0">Company Role</span><span class="hs-form-required" data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role.0.1">*</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role.$company_role"><select id="company_role-49715d06-021d-41f7-b4fa-d8074b24ac74" required="" class="hs-input is-placeholder" name="company_role"
data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role.$company_role.0">
<option value="" disabled="" selected="" data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role.$company_role.0.0">Please Select</option>
<option value="Chief Information Security Office" data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role.$company_role.0.1:$Chief Information Security Office">Chief Information Security Office</option>
<option value="Chief Security Officer" data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role.$company_role.0.1:$Chief Security Officer">Chief Security Officer</option>
<option value="Fraud Prevention Manager" data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role.$company_role.0.1:$Fraud Prevention Manager">Fraud Prevention Manager</option>
<option value="Head Of Risk" data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role.$company_role.0.1:$Head Of Risk">Head Of Risk</option>
<option value="Information Technology Compliance Manager" data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role.$company_role.0.1:$Information Technology Compliance Manager">Information Technology Compliance Manager</option>
<option value="Other" data-reactid=".hbspt-forms-0.1:$1.1:$company_role.$company_role.$company_role.0.1:$Other">Other</option>
</select></div>
</div>
</div>
</fieldset>
<fieldset class="form-columns-1" data-reactid=".hbspt-forms-0.1:$2">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$2.1:$email"><label id="label-email-49715d06-021d-41f7-b4fa-d8074b24ac74" class="" placeholder="Enter your Company Email"
for="email-49715d06-021d-41f7-b4fa-d8074b24ac74" data-reactid=".hbspt-forms-0.1:$2.1:$email.0"><span data-reactid=".hbspt-forms-0.1:$2.1:$email.0.0">Company Email</span><span class="hs-form-required"
data-reactid=".hbspt-forms-0.1:$2.1:$email.0.1">*</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$2.1:$email.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$2.1:$email.$email"><input id="email-49715d06-021d-41f7-b4fa-d8074b24ac74" class="hs-input" type="email" name="email" required="" placeholder="" value="" autocomplete="email"
data-reactid=".hbspt-forms-0.1:$2.1:$email.$email.0" inputmode="email"></div>
</div>
</fieldset>
<fieldset class="form-columns-1" data-reactid=".hbspt-forms-0.2">
<div class="legal-consent-container" data-reactid=".hbspt-forms-0.2.0">
<div data-reactid=".hbspt-forms-0.2.0.1:0">
<div class="hs-dependent-field" data-reactid=".hbspt-forms-0.2.0.1:0.$LEGAL_CONSENT=1subscription_type_4575154">
<div class="hs_LEGAL_CONSENT.subscription_type_4575154 hs-LEGAL_CONSENT.subscription_type_4575154 hs-fieldtype-booleancheckbox field hs-form-field"
data-reactid=".hbspt-forms-0.2.0.1:0.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154">
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.2.0.1:0.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.2.0.1:0.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154">
<ul class="inputs-list" required="" data-reactid=".hbspt-forms-0.2.0.1:0.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154.0">
<li class="hs-form-booleancheckbox" data-reactid=".hbspt-forms-0.2.0.1:0.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154.0.0"><label
for="LEGAL_CONSENT.subscription_type_4575154-49715d06-021d-41f7-b4fa-d8074b24ac74" class="hs-form-booleancheckbox-display"
data-reactid=".hbspt-forms-0.2.0.1:0.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154.0.0.0"><input
id="LEGAL_CONSENT.subscription_type_4575154-49715d06-021d-41f7-b4fa-d8074b24ac74" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_4575154" value="true"
data-reactid=".hbspt-forms-0.2.0.1:0.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154.0.0.0.0"><span
data-reactid=".hbspt-forms-0.2.0.1:0.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154.$LEGAL_CONSENT=1subscription_type_4575154.0.0.0.1">
<p>I declare that I have read and understood the <a href="https://www.iubenda.com/privacy-policy/31282315" target="_blank" rel="noopener">Privacy Policy</a> and I consent to the processing of my personal data to receive from
Cleafy S.p.A., via e-mail, newsletters, and/or promotional and commercial communications concerning Cleafy’s products and services.</p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display:none;" data-reactid=".hbspt-forms-0.2.0.1:0.1"></legend>
</div>
<div class="hs-richtext" data-reactid=".hbspt-forms-0.2.0.3">
<p>You can unsubscribe from these communications at any time by following the link that you will find at the bottom of any e-mail received from us or by sending an e-mail to
<a href="mailto:privacy@cleafy.com" target="_blank">privacy@cleafy.com</a>.</p>
</div>
</div>
</fieldset>
<div class="hs_recaptcha hs-recaptcha field hs-form-field" data-reactid=".hbspt-forms-0.3">
<div class="input" data-reactid=".hbspt-forms-0.3.0">
<div class="grecaptcha-badge" data-style="inline" style="width: 256px; height: 60px; box-shadow: gray 0px 0px 5px;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA"
src="https://www.google.com/recaptcha/enterprise/anchor?ar=1&k=6Ld_ad8ZAAAAAAqr0ePo1dUfAi0m4KPkCMQYwPPm&co=aHR0cHM6Ly93d3cuY2xlYWZ5LmNvbTo0NDM.&hl=de&v=a9s0j4pCVT6gaTEkLiFbtZPH&size=invisible&badge=inline&cb=o6xaoafw0h53"
width="256" height="60" role="presentation" name="a-oh01xxg0o0rl" frameborder="0" scrolling="no" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"></iframe>
</div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div><input type="hidden" name="g-recaptcha-response" id="hs-recaptcha-response" value="" data-reactid=".hbspt-forms-0.3.1">
</div>
<div class="hs_submit hs-submit" data-reactid=".hbspt-forms-0.5">
<div class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.5.0"></div>
<div class="actions" data-reactid=".hbspt-forms-0.5.1"><input type="submit" value="Download" class="hs-button primary large" data-reactid=".hbspt-forms-0.5.1.0"></div>
</div><noscript data-reactid=".hbspt-forms-0.6"></noscript><input name="hs_context" type="hidden"
value="{"rumScriptExecuteTime":580.3999998569489,"rumServiceResponseTime":1158,"rumFormRenderTime":2,"rumTotalRenderTime":1161.1999998092651,"rumTotalRequestTime":566.6000001430511,"renderRawHtml":"true","lang":"en","clonedFromForm":"a972084e-fd9f-486d-9b90-c702597db572","legalConsentOptions":"{\"legitimateInterestSubscriptionTypes\":[4566523],\"communicationConsentCheckboxes\":[{\"communicationTypeId\":4575154,\"label\":\"<p>I declare that I have read and understood the <a href=\\\"https://www.iubenda.com/privacy-policy/31282315\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Privacy Policy</a> and I consent to the processing of my personal data to receive from Cleafy S.p.A., via e-mail, newsletters, and/or promotional and commercial communications concerning Cleafy’s products and services.</p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentText\":\"<p>You can unsubscribe from these communications at any time by following the link that you will find at the bottom of any e-mail received from us or by sending an e-mail to <a href=\\\"mailto:privacy@cleafy.com\\\" target=\\\"_blank\\\">privacy@cleafy.com</a>.</p>\",\"processingConsentCheckboxLabel\":\"<p>I agree to allow Cleafy to store and process my personal data.</p>\",\"isLegitimateInterest\":false}","embedAtTimestamp":"1664935818996","formDefinitionUpdatedAt":"1663850347725","pageUrl":"https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly","pageTitle":"SOVA malware is back and is evolving rapidly | Cleafy Labs","source":"FormsNext-static-5.539","sourceName":"FormsNext","sourceVersion":"5.539","sourceVersionMajor":"5","sourceVersionMinor":"539","timestamp":1664935818997,"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.91 Safari/537.36","originalEmbedContext":{"portalId":"3993512","formId":"49715d06-021d-41f7-b4fa-d8074b24ac74","target":"#hbspt-form-1664935818491-6749216687"},"boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_4575154","redirectUrl":"https://www.cleafy.com/thank-you-page/resources-request","renderedFieldsIds":["firstname","lastname","company_role","email","LEGAL_CONSENT.subscription_type_4575154"],"formTarget":"#hbspt-form-1664935818491-6749216687","correlationId":"1f6fece6-1d25-421b-bb85-eb1650d96168","captchaStatus":"LOADED"}"
data-reactid=".hbspt-forms-0.7"><iframe name="target_iframe_49715d06-021d-41f7-b4fa-d8074b24ac74" style="display:none;" data-reactid=".hbspt-forms-0.8"></iframe>
</form>
Text Content
No items found. * Why Cleafy * Solution * Intelligence * Resources g Documents Insights Cleafy Labs Events Webinar Resources DocumentsCleafy Labs Events Webinar * Company g About us Careers Partners Company About us Careers Partners * Get in touch Get in touch Malware Android SOVA Banker SOVA MALWARE IS BACK AND IS EVOLVING RAPIDLY PUBLISHED: 11/8/22 Download the PDF version Name* Surname* Company Role* Please SelectChief Information Security OfficeChief Security OfficerFraud Prevention ManagerHead Of RiskInformation Technology Compliance ManagerOther Company Email* * I declare that I have read and understood the Privacy Policy and I consent to the processing of my personal data to receive from Cleafy S.p.A., via e-mail, newsletters, and/or promotional and commercial communications concerning Cleafy’s products and services. * You can unsubscribe from these communications at any time by following the link that you will find at the bottom of any e-mail received from us or by sending an e-mail to privacy@cleafy.com. DOWNLOAD YOUR PDF GUIDE TO TEABOT Get your free copy to your inbox now Download PDF Version INTRODUCTION In September 2021, SOVA, a new Android Banking Trojan, was announced in a known underground forum. Even though at that time the author claimed the malware was still under development, it actually already had multiple capabilities and was basically almost in the go-to market phase. Furthermore, the authors of SOVA showed a roadmap with the future update of the malware as shown in Figure 1. Figure 1 – Roadmap of SOVA (September 2021) Until March 2022, multiple versions of SOVA were found and some of these features were already implemented, such as: 2FA interception, cookie stealing and injections for new targets and countries (e.g. multiple Philippine banks). In July 2022, we discovered a new version of SOVA (v4) which presents new capabilities and seems to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets. Figure 2 – Main countries targeted by SOVA v4 UPDATES - SOVA V4 Starting from May 2022, Threat Actors (TAs) behind SOVA have started to deliver a new version of their malware, hiding within fake Android applications that show up with the logo of a few famous ones, like Chrome, Amazon, NFT platform or others. Figure 3 – Main icons used by SOVA v4 Differently from the previous versions, this time several new codes were added. The most interesting part is related to the VNC capability. As shown in Figure 1, this feature has been in the SOVA roadmap since September 2021 and that is one strong evidence that TAs are constantly updating the malware with new features and capabilities. Starting from SOVA v4, TAs can obtain screenshots of the infected devices, to retrieve more information from the victims. Furthermore, the malware is also able to record and obtain any sensitive information, as shown in Figure 5. These features, combined with Accessibility services, enable TAs to perform gestures and, consequently, fraudulent activities from the infected device, as we have already seen in other Android Banking Trojans (e.g. Oscorp or BRATA). With SOVA v4, TAs are able to manage multiple commands, such as: screen click, swipe, copy/paste and the capability to show an overlay screen to hide the screen to the victim. However, it was observed that multiple logs information are still sent back to the C2. This behavior is a strong indicator that SOVA is still going through a development process, while TAs are rolling out new features and capabilities. Figure 4 – Code comparison between SOVA v3 and v4 Figure 5 – Casting/Recording feature of SOVA v4 Moreover, in SOVA v4, the cookie stealer mechanism was refactored and improved. In particular, TAs specified a comprehensive list of Google services that they are interested to steal (e.g. Gmail, GPay, and Google Password Manager), plus a list of other applications. For each of the stolen cookies, SOVA will also collect additional information such as “is httpOnly”, its expiration date, etc. Figure 6 – Refactoring and improvement of the cookie stealer mechanism in SOVA v4 Another interesting update about SOVA v4 is the refactoring of its “protections” module, which aims to protect itself from different victim’s actions. For example, if the user tries to uninstall the malware from the settings or pressing the icon, SOVA is able to intercept these actions and prevent them (through the abuse of the Accessibilities) by returning to the home screen and showing a toast (small popup) displaying “This app is secured”. Figure 7 – “Protections” code comparison between SOVA v3 and v4 A peculiarity of SOVA v4 is the “core” relocation of the malware. Like the main Android banking trojan, SOVA uses the .apk just to unpack a .dex file which contains the real malicious functionalities of the malware. In the previous version, SOVA stored the .dex file inside the directory of the app, while in the current version it uses a device's shared storage directory (“Android/obb/”) to store it. Lastly, in SOVA v4, an entire new module was dedicated to Binance exchange and the Trust Wallet (official crypto wallet of Binance). For both applications, TAs aim to obtain different information, like the balance of the account, different actions performed by the victim inside the app and, finally, even the seed phrase (a collection of words) used to access the crypto wallet. C2 COMMUNICATIONS AND PANEL The communications between SOVA v4 and the C2 didn’t change compared to the previous version (v3), except for the new command (vncinfo) used for its new VNC feature. Meanwhile, also the C2 panel of SOVA was updated compared to the first version published by the author in September 2021, with some new features and a complete UI restyle (as shown in Figure 8). Figure 8 – Comparison between SOVA C2 panels Figure 9 – Comparison between SOVA configuration files NEW TARGETS The first version of SOVA had almost 90 targeted applications (including banks, crypto wallet/exchange, and generic shopping apps), initially listed and stored in the packageList.txt file within the assets/ folder. In the latest samples, this file has been removed and the targeted applications are managed through the communications between the malware and the C2. The number of targeted applications has grown faster, compared to the initial phases of SOVA: during March 2022 multiple Philippine banks have been added and then during May 2022, another list of banking applications has been added too, as shown in the following Figure 10. Figure 10 – Comparison between SOVA targets, from September 2021 to July 2022 To obtain the list of targeted applications, SOVA sends the list of all applications installed on the device to the C2, right after it has been installed. At this point, the C2 sends back to the malware the list of addresses for each targeted application and stores this information inside an XML file. Figure 11 – Example of communication between SOVA v4 and the C2 server Figure 12 – Example of fake page used to steal credentials and credit card information Another interesting fact is that, in some of the analyzed samples of SOVA v4, the list of CIS region used in the previous versions (used to exclude these countries from attacks) was removed and, at the time of writing, all the initial Russian and Ukraine targeted apps were removed. Figure 13 – List of CIS region remove in one of the sample of SOVA v4 FURTHER UPDATES - SOVA V5 During the reviewing of the document on SOVA v4, we spotted on our threat intelligence platform (Cleafy ASK) multiple samples that seem to belong to a further variant of SOVA (v5); we want to provide you with an overview of this variant too. Analyzing the code of the malware, it is possible to observe a big refactoring of the code, the addition of new features and some small changes in the communications between the malware and the C2 server. Furthermore, the samples of SOVA v5 that we analyzed don’t present the VNC module that we observed in SOVA v4: our hypothesis is that it was simply not integrated in the v5version yet. In fact, the malware seems to be still under development, due to the presence of multiple logs used for debugging. Figure 14 – List of commands of SOVA v5 Although there are several changes, the most interesting features added in SOVA v5 is the ransomware module, that was announced in the roadmap of September 2021. However, even though this feature has been already implemented in the current version (v5), at the time of writing it seems to be still under development. The aim of TAs is to encrypt the files inside the infected devices through an AES algorithm and renaming them with the extension “.enc”. The ransomware feature is quite interesting as it’s still not a common one in the Android banking trojans landscape. It strongly leverages on the opportunity arises in recent years, as mobile devices became for most people the central storage for personal and business data. Figure 15 – Ransomware module of SOVA v5 CONCLUSIONS With the discovery of SOVA v4 and SOVA v5, we uncovered new evidence about how TAs are constantly improving their malware and the C2 panel, honouring the published roadmap. Although the malware is still under development, it’s ready to carry on fraudulent activities at scale. APPENDIX 1: IOCS IoC Description 0533968891354ac78b45c486600a7890 SOVA v4 ca559118f4605b0316a13b8cfa321f65 SOVA v4 without CIS regions socrersutagans.]site C2 of SOVA v4 omainwpatnlfq.]site Server used to display fake website of targeted app 74b8956dc35fd8a5eb2f7a5d313e60ca SOVA v5 satandemantenimiento.com C2 of SOVA v5 http://wecrvtbyutrcewwretyntrverfd.xyz C2 of SOVA v5 MEET THE AUTHORS Francesco Iubatti Mobile Malware Analyst & Threat Intelligence Analyst Federico Valentini Head of Threat Intelligence and Incident Response ARTICLE CONTENT IntroductionUpdates - SOVA v4C2 communications and panelNew TargetsFurther updates - SOVA v5Conclusions SHARE WITH YOUR COMMUNITY AddThis Sharing Buttons Share to LinkedInLinkedInShare to FacebookFacebookShare to TwitterTwitter GET THE PDF VERSION BY SUBSCRIBING TO CLEAFY LABS BULLETINS Get your free copy to your inbox now Download PDF Version © 2021 Cleafy S.p.A. Via Simone Schiaffino, 11 20158 Milano, Italy VAT 02340370226 * - Why Cleafy * - Solution * - Intelligence * Resources DocumentsCleafy Labs Events Webinars * Company About usCareersPartners Privacy PolicyCookie PolicySecurity Disclosure PolicyLegal Design by IUNO Update your advertising tracking preferences × Notice We and selected third parties use cookies or similar technologies for technical purposes and, with your consent, for “experience enhancement”, “measurement” and “targeting & advertising” as specified in the cookie policy. Denying consent may make related features unavailable. With respect to advertising, we and selected third parties, may use precise geolocation data, and identification through device scanning in order to store and/or access information on a device and process personal data like your usage data for the following advertising purposes: personalized ads and content, ad and content measurement, audience insights and product development. You can freely give, deny, or withdraw your consent at any time by accessing the preferences panel. Use the “Accept” button to consent to the use of such technologies. Use the “Reject” button to continue without accepting. Press again to continue 0/2 Learn more and customize RejectAccept